Ddos 
Researchers at Gen Threat Labs, led by Threat Researcher VojtΔch Krejsa, have identified VoidStealerβthe first infostealer observed in the wild utilizing a debugger-based bypass to strip Chrome and Edge browsers of their most sensitive data.
The technique is a direct strike against Application-Bound Encryption (ABE), a security feature introduced by Google in July 2024 to “raise the bar” for accessing stored browser data.
Traditionally, bypassing ABE required attackers to perform highly suspicious actions, such as injecting code into browser processes or escalating system privileges. VoidStealer takes a different, quieter path.
“VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory,” the analysis explains. Because this method “requires neither privilege escalation nor code injection,” it represents a much stealthier alternative to previous bypass methods.
VoidStealer acts as a debugger for the target browser. Instead of trying to break the encryption from the outside, it waits for the browser to do the work itself.
- Placement: The malware identifies a specific memory address within the browser where the encryption master key is processed.
- The Breakpoint: It sets a hardware breakpoint at that address.
- The Catch: When the browser accesses that memory to decrypt a saved password or cookie, the breakpoint triggers. The malware then “extracts the v20_master_key directly from browser memory” without the system ever signaling a security breach.
While the technique is designed for evasion, it does leave distinct digital fingerprints. Because legitimate applications “rarely have legitimate reasons to access” browser memory, researchers suggest that monitoring for these reads can provide valuable detection signals.
Furthermore, the malware must overcome a physical hurdle: the user. To prevent the victim from noticing a new browser window appearing, attackers often use evasion tactics like “launching it via CreateProcess with the SW_HIDE flag, running it in headless mode, or positioning the browser window off-screen”.
The arrival of VoidStealer marks a turning point in the evolution of infostealers. By adapting techniques from public proof-of-concept projects like ElevationKatz, threat actors have proven that they can bypass even the most robust modern browser protections without leaving a heavy footprint.
“It is only to be expected that more infostealers will adopt the bypass technique in the future,” Krejsa warned. For organizations, this underscores the importance of behavioral monitoringβspecifically looking for any unauthorized application that attempts to autonomously debug a web browser.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
